You are here

On my Kindle I am root

Starting from the end

That's my Kindle in the screenshot running a full screen terminal. I'm about to run nmap (a network mapping program) inside a chrooted Debian ARM installation I put on the device. Having Debian on the device isn't really necessary for hacking the Kindle but it does make it easier to install ARM binaries of just about any of the 25,000 packages in Debian. Yep, apt-get works on my Kindle!

More practically I can now SSH into the device over the WIFI, use SFTP to transfer over new books without having to mess around with a USB cable, etc.

The device can still gets books from Amazon, but I've disabled its ability to auto-update firmware. Now that I control my device I'd like to keep it that way, even if there's no immediate practical benefit.

Besides, it's one thing to know on a theoretical level that the device runs Linux, and being able to see for yourself which processes are running:

Rewinding back to the beginning

Besides my workstation, my Kindle is the device I use the most. By far.

So much that it's almost wearable computing by now. When I take a break I stick it in my pocket and have Tom Glynn's synthesized voice quickly humming whatever I'm reading to me while my hands are free to eat my meals, take care of boring errands, etc.

It's maybe the only mobile device I feel has unambiguously improved my quality of life in a net positive way (I'll leave my gripes with smart phones for another time).

My only major concern with the Kindle is that I'm not supposed to have full control over it:

If it's connected to a network, Amazon can update my firmware remotely at any time without asking me first, possibly changing the device's behavior in undesirable ways. They can spy on my reading (how would I know?), delete my books, etc.

I can't customize its behavior. I keep having these ideas on little features that would make the device even more useful to me but probably wouldn't make sense for the average user. I don't expect Amazon (or any other consumer company for that matter) to design a product that fits perfectly with my needs out of the box.

I know there's Linux under the hood and I want root on it. On principle dammit!

OK, maybe not just on principle. The Kindle is a very low cost, super lightweight, ARM Linux machine with an eInk display that can be easily read in bright sunlight, a great text-to-speech system, amazing battery life, WIFI / 3G access, a nice bit of storage, sound output and even a hidden microphone. There are endless creative off-label things you could do with it.

Considering all the features packed into the Kindle the price is jaw dropping. Amazon probably isn't making a profit on the hardware. Heck the "special offers" Kindle now costs just $79. That's $20 less the $99 ARM SheevaPlug which doesn't have nearly as many features.

So over the weekend I took a look and it turns out that since I last checked a nice Kindle hacking community has sprung up, discovered that the Kindle doesn't have any real security, and made available all the tools you need to take full control over your device.

Kindle hacking is at its infancy but there's already a pretty sweet list of homebrew hacks that let you for example, replace the dead people in your screensavers, change/add new fonts, etc.

I found everything online. Mostly on the excellent mobileread forums but it took time to make sense of it all. The documentation is often a somewhat confusing and dodgy patchwork so I took notes, tested what worked on my Kindle and figured it would be useful to summarize my "crystallized" understanding for the benefit of others who might want to go down the same road.

Rooting your Kindle

Under the hood Amazon's firmware updates are just glorified shell scripts in a proprietary package format that contains an embedded Amazon signature.

The first thing we need to do to get control of the device is "jailbreak" it, which really just adds a "hacked" key to the keyring used to verify the package signature.

Install the Jailbreak

Currently the latest version of the JailBreak is 0.7. To install it you just transfer over the bin that's right for your version of the Kindle (I.e., update_jailbreak_0.7.N_k3w_install.bin = Kindle 3 Wifi) into the device root and then update the device:

Home > Settings > Menu > Update Kindle

Now you can install packages signed by a non-secret hacked key. The Jailbreak contains a whitelist of md5sums of known good hacks.

Install usbnet hack

The Kindle 2 has a hidden USB network mode, probably left over from development. When activated, the Kindle would behave as a USB network device rather than a USB mass storage device. This allowed you to do neat things such as tethering the device to your laptop.

Kindle 3 seems to have removed this feature, but the usbnet hack reactivates it and installs busybox (a micro shell environment), dropbear (a micro SSH server) and a few other utilities to allow you to SSH into your device and explore its insides.

After installation, usbnet creates a usbnet directory in your kindle root which contains its configuration files:

Now we'll unmount (I.e., "eject") the Kindle from our computer, disconnect the USB connection to take it out of mass storage mode and enable usbnet mode.

Press [DEL] on your Kindle to bring up the search bar and do the following "searches":

;debugOn
~help # just for fun
~usbNetwork
;debugOff

The commands are not case sensitive. Usually you don't want to stay in debugging mode because it turns off various power savings features such as turning off WIFI is your Kindle is not connected to the USB. Also, it turns on verbose logging.

Now when you connect your Kindle to your computer via USB, it isn't recognized as a mass storage device but rather as a USB network device.

This is what dmesg says when I connect the Kindle in mass storage mode:

Note that with the usbnet hack, by default SSH only works over the USB host-to-host connection. SSH is configured not to ask for the root password so usbnet wisely disables SSH over WIFI for security reasons.

To safely turn SSH over WIFI on we'll want to harden our Kindle first a bit. Setup SSH authentication, change the default keys and passwords and then reconfigure usbnet to allow SSH over WIFI.

We can configure this stuff in mass storage mode by editing files in usbnet/etc under the Kindle root, or via SSH on the usb host-to-host network. BTW, the kindle root you see in mass storage mode is is mounted to /mnt/us on the Kindle.

Anyhow, after connecting the Kindle to our computer in usbnet mode we have a new device, usb0 which we will configure to suit the default usbnet setup:

restart usbnet by toggling it off and back on with the hidden ~usbNetwork comand (from the search bar in ;debugOn mode).

Test that you can still log into SSH via the usb0 connection. That means you've configured everything correctly.

Now turn on Wifi and see if you can log in over WIFI. You can find out the Kindle's IP address by accessing the secret 711 network info screen:

Home > Menu > Settings >
# ALT + U Q Q
711

As long as your Kindle is plugged into USB (in your computer or the power charger), it will remain accessible via WIFI even if the screensaver is active. In debugging mode the WIFI stays on even when your Kindle is not plugged in.

As is typical for embedded ARM devices the WIFI chip is usually sleeping to conserve power which makes for a slightly jittery interactive SSH session. Not too bad though.

For extra convenience, I configured my local WIFI router to bind the Kindle always to the same IP address (e.g., 10.0.0.15).

Keep in mind that your Kindle filters out ICMP pings on the WIFI so it won't respond to a regular ping, but it will respond to arping:

I transfered over a 50MB test file to test the transfer rate. With good connectivity I can get 1.5MB/s over the Wifi. The USB host-to-host is slightly faster at about 2MB/s, and the mass storage interface is fastest at 6MB/s.

Preventing Amazon from auto-updating your firmware

As far as I can tell the easiest and surest way to prevent Amazon from auto-updating your Kindle is to knock out the keys it uses to verify the signatures:

mv /etc/uks /etc/uks.disabled

Under the hood, the Kindle is programmed to get firmware updates automatically via the TODO service, which gives the Kindle a list of things to do including getting new books (or deleting existing books) and/or getting new firmware.

Some people in the community have gone as far as to change the URLs in the framework and pass them through a proxy server setup to selectively mirror Amazon's TODO requests.

Uninstalling hacks

All the hacks I've come across so far come with an installer and uninstaller *.bin files. Just in case, I copy the uninstaller for the hacks I install to my Kindle's root under "uninstallers". That way I can always roll back hacks later if I want:

Comments

In the "Rewinding to the beginning" section you've got this sentence fragment in the middle of another sentence: "the key that Amazon uses to update".

I think the paragraph should read:

"So much that it's almost wearable computing by now. When I take a break I stick it in my pocket and have Tom Glynn's synthesized voice quickly humming whatever I'm reading to me while my hands are free to eat my meals, take care of boring errands, etc."

I want to root my Kindle now too! :) Although I must admit that I get a little nervious about hacking devices. I think of all the silly things I've done on PCs over the years and the times I've foobarred OSs of all varieties with a few simple keystrokes... On a PC though clean install is (relatively) easy. Not always quite the case on a bricked device...

I appreciate the clear write up and I may well give this a go sometime soon! I'll post back if/when I do.

I wouldn't worry too much about bricking the Kindle. With some devices you have to go to pretty extreme lengths to get control, with the Kindle everything seems to run as root under the hood anyway. The device's security seems to be mostly for show, like the Kindle development team doesn't really care about that sort of thing - which they probably don't.

Yeah I must admit it sounds pretty straight forward. And I have come a long way since my days of trashing stuff (it hasn't happened for a while now). And I think I can contain myself and hold back on deleteing the root fs! :)

I never utilized WiFi on my own Amazon kindle Key-board in more than 3 years. Last year I wanted to order a novel. I forgot to disable Wi-fi when the book finished downloading, with an auto-update started. The Secockpit of Kindle is behaving oddly now. It really wants to activate Wi-fi all the time.

ssh'ing into a device and exploring its innards really brings home the fact that there's a little general purpose computing device lurking in there. Security isn't a high priority in these devices. They have an ever increasing number of sensors. High resolution cameras, microphones, GPS, etc. Perfect little spying devices that will eventually be everywhere. Wait till you can SSH into a bug sized micro-copter...

Maybe a memory stick upload to a Kindle, Android, Nook, what have you, would be an interesting take on a TKL setup. What stands out to me are the layers of modifications that it takes to get this to work together... and that you can piece the sequencing together.

Thinking about general Linux/Ubuntu/Debian how would one start to learn and understand the "startup roll" that one sees at boot time? Particularly, how to understand each of the components at loadup are referenced and where they each start and finish? I can chunder around a running system and get it to shutdown etc, but I would love to start to understand the configuration process in the context of the old "autoexec.bat" file.

Debian uses the classical serial SysV init process which is very simple to understand. The first process the kernel runs is init, which reads /etc/inittab to figure out which configuration scripts to run for the runlevel you are on (typically runlevel 3 or 5). Usually this is /etc/init.d/rc running scripts in /etc/rc3.d, and those are symbolic links to configuration scripts in /etc/init.d.

On Ubuntu they've introduced a replacement for SysV init called upstart to allow the system to boot up asynchronously. One of the things that means is that configuration tasks that can run in parallel do, and the initialization process only blocks for dependencies (e.g., network filesystems can't mount before the network comes up). Due to its parallel nature, exactly what happens in what order when your system boots up under Upstart is a bit hard to understand and predict, but many scripts, especially the server stuff still run in SysV init compatibility mode. Upstart scripts are in /etc/init.

It should be noted that the reason upstart works asynchronously is to start things as quickly as possible, so that those items that have no interdependancies don't block each other, as they do in Sys V init. (Lest you wonder if comlexity is for the sake of complexity :-D).

upstart has some complexity incurred by bad design idea. systemd is what rocks the boat now. It has (from user perspective) a much simpler approach to parallelising startup procedure. autoexec.bat is more like a tiny script (/etc/rc.conf on some systems). SysV init scripts, upstart and systemd are more like services from Windows world.

Glorious guide; I was about to give in navigating the horror that is the mobileread wiki, and now I have my own little chrooted debian installation, so thankyou for this!

One quick question, though -- using that terminal, the fullscreen one, I seem to lose a character from the far right of my display. Whilst not insurmountable, this is kinda annoying. Did you encounter this, and if so, do you know of any way to make it work?

I was following your instructions and have successfully installed the jailbreak, usbnetwork hack, and installed debian. However, I was trying to add /opt/bin to PATH, and accidentally ended up deleteing /etc/profile (I was editing it with nano and the connection between my computer and my Kindle broke, and that somehow deleted it)! Now none of the paths are displayed (instead of root@kindle~# it displayed just #). I successfully restored PATH so binaries can still run, but the rest of /etc/profile is gone. Would anyone who can be kind enough to post the contents of YOUR /etc/profile on your Kindle so I can copy it to mine (it doesn't contain any personal data, and my computer's /etc/profile won't work on the Kindle)?

I have rooted my Kindle 3 keyboard Wifi only and installed the usbnetwork. I tried putting the Kindle in usbnetwork mode using ;debugOn ~help (which works) ~usbNetwork ;debugOff but still get the same dmesg about Kindle mass storage. Occasionally, i have gotten it the usbnetwork register cdc_ether. I tried to ssh into the Kindle at 192.168.2.2 and it ask for a password. I have heard that "mario" is yhe password but it didn't work for me. Can someone send me a copy of their config.file in usbnet/etc. I changed K3_WIFI and K3_WIFI_SSHD_ONLY to "true" from false. What about the sshd_config file? Any help would be appreciated. I am trying to set up the Kindle as a terminal for my Raspberry pi.

I copied back the original config and sshd_config in the /usbnet/etc folder and was able to ssh into my kindle as framework@192.168.2.2 using password mario. however, I can't change the root password as framework and I can't make the root file system writable. Any suggestions?

After restarting my Kindle with menu-settings-menu-restart, the Kindle mistakenly thinks it is in USB mode and wants the computer to eject it. However, it actually is in usb-network mode: I can telnet to it, anf the computer can't eject it. While in USB mode, it is totally passive. Hoe can I break this deadlock? It should be easy, hey, I am root when telnetting, but I can''t figure it out.

I just started installing some of the hacks for the Kindle DXG, being most interested by the usbnetwork hack in order to gain ssh access to my kindle embedded linux system.

My Kindle DXG is using FW 2.5.8 (555370010).

I have successfully jailbreaked this Kindle DXG with "update_jailbreak_0.11.N_dxg_install.bin" then sucessfully installed "update_python_0.2.N_dxg_install.bin", "update_ss_0.33.N_dxg_install.bin" and "update_fonts_5.6.N_dxg_install.bin".

The filesystem looks perfectly conform to what is expected when I mount the Kindle as a USB device storage on my BSD system: All folders python, linkss and the like are there and the kits seem complete.

Then I install the usbnetwork hack "update_usbnetwork_0.46.N_dxg_install.bin" the same way, renaming "<mountpoint>/usbnet/DISABLED_auto" as "<mountpoint>/usbnet/auto", as requested to start the service upon the Kindle reboot.

At that point, I put the Kindle DXG in debug mode (;debugOn), and enable the ubsnetwork service through " `usbNetwork", ignoring " `usbQa " for now.

I plug the Kindle DXG in my computer and indeed see the USB Ethernet device, named "ue0" on my FreeBSD box :

ugen2.2: <Linux 2.6.22.19-lab126arcudc> at usbus2

cdce0: <RNDIS Communications Control> on usbus2

cdce0: No valid alternate setting found

device_attach: cdce0 attach returned 6

cdce0: <Ethernet Data> on usbus2

cdce0: faking MAC address

ue0: <USB Ethernet> on cdce0

ue0: Ethernet address: 2a:dc:6f:70:05:00

I set up my host address for this interface as per usbnet/etc/config :

- 192.168.2.1/24 for the BSD box

- 192.168.2.2 for the Kindle (I guess this is set automatically upon enabling the usbnetwork service via " `usbNetwork " private command).

Except that now, pinging Kindle DXG at 192.168.2.2 does not respond. Same for ssh or telnet.

I cannot access the Kindle.

Did I miss something ?

Who has actually successfully enabled usbnetwork as described here on a 2.5.8 Kindle DX Graphite ?

Thank you for any help.

Franck

PS. My vision is to develop/extend lots of useful things for this Kindle. For one thing, I would like to enable and use a real console on it, then extend or replace the actual reader with a tabbed-reader, to allow to open several books at the same time, and simply go from one to another with simple keyboards keys sequences.

Thank you for the interesting article! I have successfully "SSH'ed" into my Kindle Keyboard (K3). I did this using WinSCP, which I do not think is Linux, so perhaps my question is misplaced here, but...

I am not interested in using WhiperNet or tethering my Kindle Keyboard. I just want to be able to use the "experimental browser" on my home wi-fi network without it running through Amazon's proxy(?) first.

I cannot seem to find clear/consise instructions as to how to avoid the Amazon proxy.

Can you point me in the proper direction? I see the information you've posted above about the TODO servers, etc, but remain puzzled as to whether you've changed that information or if that is the original information that needs to be changed.

hi, I am impressed with what the author here did with his kindle though I am even more interested to know if it is possible to use any standard pc keyboard with it

I am in the course of acquiring the hobby of writing but I hate writing on paper (typewriters inc.) and I hate writing on netbooks and notebooks as well.

Please tell me what other options do I have. I was thinking my needs are met with a screen and keyboard but thats all.
I know I am a bit hypocrite asking for help in turning what was conceived as a reading device into a writing one but I cannot help myself I got sick of reading I want now to try writing , think of it more of therapeutical reasoning than alphabetically challenged,... anythink that can keep me away of internet as possible. and stores...

There is kindle with keyboard... In fact author of this post poses one since he guided how to install kiterm (otherwise, this app would be useles).

After you did get this kindle with keyboard and follow instructions how to jailbreak it and gain acces to terminal, all you need is knowing how to handle vi or emacs. They both are text editors, mainly used for scripting but writing poems or proza is also possible :P Using them is pretty simple.

I wouldn't recommend it for any serious typing... I imagine that you are hoping to connect a 'proper' keyboard. TBH I am not sure if the hardware actually supports this, although it would be quite easy to test if you get a microUSB B (male - to connect to Kindle) to USB A (female - to connect to keyboard) adaptor then connect a USB keyboard to it and see what happens (note I imagine that you would have to root the Kindle first).

None of this will be much help though if you don't already have a Kindle. Unless you have one already, or want one anyway, I wouldn't buy one on the off chance that it will work...

IMO you'd be better off buying a cheap Android tablet. In my experience you should be able to do that no worries.

I am aware of kindle with keyboard but that kbd won't make it for writing.

@Jeremy

I was thinking the same, one cheap android tablet coupled with my very personal cheap pc keyboard that costed text to nothing and impressed my in that I rarely mistype having an almost mechanical feeling to it unlike chiclet one on laptop .Now will start looking for one with most battery life and write then in textroom

I did this, and after doing so, I was unable to install other applications that use the firmware update approach. That is, copying the update_XXX file onto my DX and then selecting the install "upgrade" menu item in settings yields a failure during the update.

Luckily its easy to go back and rename the uks.with-suffix directory back to uks, and then I was successfully able to use install "upgrade" again. (But I did spend a long time struggling to figure out why my install attempts were failing. That's why I'm adding this comment here, so that hopefully other people with similar problems might find this explanation.)

Thanks for pulling all this diverse info into a convenient package: finding it here, instead of chasing it all over the net the way I'm sure you had to, is a big help.

There's one point that I found unclear, though: does the dropbear installed by the usbnet package work as a client, or just as a server?

I'm working on a remote sensing system controlled by a Linux SBC. What I want to do is drive out to the installation, plug in a USB WiFi dongle, and get a bash prompt from the SBC. But a bash prompt on something I can read outdoors, which is a real pain on my phone (microscopic text) or netbook (unreadable in sunlight). I thought the e-ink display would be great for this, but the KindleTerm kindlet doesn't seem to be quite ready for "production" use.

Does the kiterm version you're using have enough ncurses support that I could use it with an standard ssh client?

I have experience with using this device as ssh client and must say it does very well. Simply use ssh command as in any linux distro you did before. Eink display works very well for CLI

the only problem I encountered was that any time I connect to internet my kindle disables the hack and the whole unlocking process must be done again. Tried to disable this autoupdate by deleting several scripts without succes. Good luck

While I was playing with the wifi, my K3 v3.3 downloaded an update and started the update process, luckily, all the hacks worked after the update (including usbnetwork), but I suggest you do the following as early as possible:

mv /etc/uks /etc/uks.disabled

Remember to undo the rename if you wish to appy updates later.

KUAL was very helpful for toggling USBNET.

You have to press ALT <top row 7th button> ALT <top row button 1> ALT <top row button 1> to send 711 to see the WIFI status and get the Kindle's IP address.

See, there are two sides to the connection. The host side on the computer, and the kindle side on the, well, kindle. My kindle4 has its "internal" IP set to 192.168.15.244 and expects that the IP I give the other side of this connection, on my computer, be 192.168.15.201.

I never used WiFi on my Kindle Keyboard in over three years. Last year I wished to order a book. I forgot to disable WiFi as soon as the book finished downloading, and an auto-update started. The Kindle is acting strangely now. It wants to activate WiFi all the time. It sometimes does not react to keypresses. I tried rebooting. This worked for a while, but yesterday after a reboot the Kindle went straight to Amazon Store and seemed to automatically just say yes to every opportunity. This causes it to order the first book on Amazon's best-seller list. I still hoped to get it out of the loop, but when it ordered another book, I hurriedly switched it off and rushed to the computer to cancel the orders, which fortunately it did.

I have now (too late) moved /etc/uks elsewhere. Let's hope that cures the problem.

My Kindle can't talk to Amazon now that /etc/uks is renamed. It still tries though. What now happens is that as soon as I press the Menu key, the question "Do you want to enable 3G?" appears and after a short pause is automatically answered yes. When finally it gives up trying to reach Amazon, I get an opportunity to switch off 3G, which takes a long time but eventually succeeds. But then I get a Home screen in which it asks whether to add an item to a collection, and keeps answering yes autimatically, with the quesyion altering with do I wish to remove it.

Next try will be to move the entire /documents directory out of sight.

In my older kindle 3, I hard-wired a mouse to the pcb and got it working. I used the headphone jack port to snake the wire through. It becomes less portable though. Now I am looking for wireless possibilities - by modifying the OS if possible.

Hi! I have the silver Kindle Version 4.12, and I've just successfully connected via SSH as root. At this point, however, I wanted to get out of this mode, and I seem to be stuck. I was following Jailbreak directions that say to select "D) Exit, Reboot or Disable Diags" (using the 5-way keypad) 4. Select "R) Reboot System" and "Q) To continue" (following on-screen instructions, when it tells you to use 'FW Left' to select an option, it means left on the 5-way keypad) This seems to reboot the kindle, only reboots it back into Diag mode. I don't know how to get out of it... and so now my Kindle is basically useless. Do you know what I'm doing wrong? Thanks so much!

"The device can still gets books from Amazon, but I've disabled its ability to auto-update firmware. Now that I control my device I'd like to keep it that way, even if there's no immediate practical benefit."